CompTIA CASP+ (CAS-003) — Question 222

A Chief Information Security Officer (CISO) recently changed jobs into a new industry. The CISO's first task is to write a new, relevant risk assessment for the organization. Which of the following would BEST help the CISO find relevant risks to the organization? (Choose two.)

Answer options

• A. Perform a penetration test.
• B. Conduct a regulatory audit.
• C. Hire a third-party consultant.
• D. Define the threat model.
• E. Review the existing BIA.
• F. Perform an attack path analysis.

Correct answer: C, E

Explanation

Hiring a third-party consultant can provide specialized expertise and an unbiased perspective on potential risks that the organization may face. Reviewing the existing Business Impact Analysis (BIA) helps in understanding the critical functions of the organization and their associated risks. The other options, while useful, do not directly assist in identifying relevant risks in the same comprehensive manner.